Windows Secure Boot certificates expire in June, Microsoft warns

Microsoft said it has begun rolling out new Secure Boot security certificates, ahead of a late June 2026 expiration deadline that affects virtually every Windows device globally.

The certificates, which have protected the Windows boot process since 2011, must be replaced before they expire.

Not doing so means devices will enter what Microsoft describes as a "degraded security state."

Secure Boot operates before Windows loads, blocking untrusted code from executing during startup.

The trust mechanism relies on certificates stored in device firmware; Microsoft said the original digital credentials are reaching the end of their planned lifecycle after more than 15 years.

Some devices will also require firmware updates from manufacturers before they can apply the new certificates, adding complexity to deployment planning.

"This work included close collaboration with device manufacturers and firmware providers responsible for the Unified Extensible Firmware Interface [UEFI] on a standards-based approach," partner director for Windows servicing and delivery Nuno Costa said in a blog post.

Microsoft describes the effort as one of the largest coordinated security maintenance projects across the Windows ecosystem.

Devices that miss the updating deadline will continue functioning normally, but Microsoft warns they cannot install future boot-level security mitigations as new vulnerabilities emerge.

This could also lead to compatibility issues causing newer operating systems, firmware and hardware, or Secure Boot dependent software to fail to load.

Microsoft said many newer devices built since 2024 already include the updated certificates and require no action.

The company plans to add certificate update status messages to the Windows Security app in coming months to help consumers track progress.

Enterprises can access detailed guidance through Microsoft's IT administrator playbook.